Friday News & Notes

The S4 call for papers announcement and submission page will come out on Monday — sorry for the delay. You will have two months to submit, but early submittal improves your chances.

Speaking of conferences, next week in Las Vegas is BlackHat, BSides and Defcon. Only a couple of ICS sessions there, but I bet IOActive’s Ruben Santamarta’s session on backdoors in industrial firmware will be a highlight. Ruben is at the top of heap when it comes to ICS hacking. BSides includes a session on the Termineter smart meter hacking tool that accesses the meter via the optical port.

McAfee has some large claims of power company cyber extortion in their Smarter Protection For The Smart Grid white paper. “The most prevalent cyberthreat reported by the global energy sector is extortion. Criminals gain access to a utility’s system, demonstrate that they are capable of doing damage, and demand a ransom. In the McAfee/CSIS study noted earlier, one in four power companies globally said they had been victims of extortion. In some countries, the incidence is alarmingly epidemic—80 percent in Mexico, for example, and 60 percent in India. And the sums of money paid out are equally staggering—hundreds of millions, by some estimates.” This would be some hard business case data if corroborated, but we haven’t seen this elsewhere and haven’t heard of such things being so widespread as of yet.

Perhaps concerned with President Obama taking all the credit, the UK Parliament’s Intelligence Security Committee admitted to causing disruption in Iran’s nuclear capabilities. The article also makes it very clear that the UK, like most countries is focused on “accessing the data or networks of targets to obtain intelligence or to cause an effect without being detected”.

CNET’s Elinor Mills wades into the information sharing swamp prompted by a new Cyber Security Task Force: Public-Private Information Sharing report written by the Homeland Security Project. I must admit that I don’t understand why this issue still garners so much effort and discussion. People and organizations, including Digital Bond, only share information when it is in their own self-interest. These proposed changes address the downside of sharing, but not the upside.

Renew Grid covered a recent Senate hearing on Electric Grid security. From the article, “Joseph McClelland, director of FERC’s Office of Electric Reliability, testified that protecting the nation’s electric grid is hindered by limitations in federal authority.” While FERC’s authority may need to be tweaked, it’s a convenient excuse that some in Congress actually seems to promote with questions like “Do you need more authority?” The better question is why did you pick NERC as the ERO? Why are you letting the regulated entities set the regulations? How long are you going to let this continue and do you have a plan to replace NERC if they don’t put in more effective regulations? The full hearing can be viewed here.

Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.

Our Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.